i have a website which i know is xss vulnerable. To me it looks like it is non-persistent type vulnerable because the injection happens at url level and not at any forms/button/link action level. Further more this vulnerability exists at the main login page right at the page where user/passwd text box are located.

Now i want to steal victim browser credentials / cookies. But there is a twist in my scenario as since the attack happens before login how em suppose to get the session cookie? and secondly is there a code available which would let me write / inject my own form box (with my own input/username/password input box) for data-entry.

From there when the user enter his credentials and click login ; these credentials would be sent on my server-file do i have write some kind of parser for url filtering and then later save it to the file on my server?

in order to keep the noise level low; em thinking when the user hits the fake login button he would be shown a pop-up box which says something (Server error please refresh the page) on this the whole attack history would be gone and he would be presented with the original page. For victim it would be something like a server glitch .....

Em i on the right path....please guide me guys..and let me know if such a code exists (In my scenario above)...